Initialize fs-verity keys in shell script
This gives us two benefits:
- Better compatibility to keyctl(1), which doesn't have "dadd"
- Pave the way to specify key's security labels, since keyctl(1)
doesn't support, and we want to avoid adding incompatible option.
Test: See keys loaded in /proc/keys
Bug: 128607724
Change-Id: Ia45f6e9dea80d037c0820cf1fd2bc9d7c8bb6302
This commit is contained in:
Victor Hsieh
parent
b4ef0beb99
commit
59183120c2
6 changed files with 40 additions and 67 deletions
|
|
@ -30,7 +30,6 @@ static void Usage(int exit_code) {
|
|||
fprintf(stderr, "usage: mini-keyctl <action> [args,]\n");
|
||||
fprintf(stderr, " mini-keyctl add <type> <desc> <data> <keyring>\n");
|
||||
fprintf(stderr, " mini-keyctl padd <type> <desc> <keyring>\n");
|
||||
fprintf(stderr, " mini-keyctl dadd <type> <desc_prefix> <cert_dir> <keyring>\n");
|
||||
fprintf(stderr, " mini-keyctl unlink <key> <keyring>\n");
|
||||
fprintf(stderr, " mini-keyctl restrict_keyring <keyring>\n");
|
||||
fprintf(stderr, " mini-keyctl security <key>\n");
|
||||
|
|
@ -56,14 +55,6 @@ int main(int argc, const char** argv) {
|
|||
std::string data = argv[4];
|
||||
std::string keyring = argv[5];
|
||||
return Add(type, desc, data, keyring);
|
||||
} else if (action == "dadd") {
|
||||
if (argc != 6) Usage(1);
|
||||
std::string type = argv[2];
|
||||
// The key description contains desc_prefix and an index.
|
||||
std::string desc_prefix = argv[3];
|
||||
std::string cert_dir = argv[4];
|
||||
std::string keyring = argv[5];
|
||||
return AddCertsFromDir(type, desc_prefix, cert_dir, keyring);
|
||||
} else if (action == "padd") {
|
||||
if (argc != 5) Usage(1);
|
||||
std::string type = argv[2];
|
||||
|
|
|
|||
|
|
@ -86,53 +86,6 @@ static bool GetKeyringId(const std::string& keyring_desc, key_serial_t* keyring_
|
|||
return false;
|
||||
}
|
||||
|
||||
int AddCertsFromDir(const std::string& type, const std::string& desc_prefix,
|
||||
const std::string& cert_dir, const std::string& keyring) {
|
||||
key_serial_t keyring_id;
|
||||
if (!GetKeyringId(keyring, &keyring_id)) {
|
||||
LOG(ERROR) << "Can not find keyring id";
|
||||
return 1;
|
||||
}
|
||||
|
||||
std::unique_ptr<DIR, int (*)(DIR*)> dir(opendir(cert_dir.c_str()), closedir);
|
||||
if (!dir) {
|
||||
PLOG(WARNING) << "Failed to open directory " << cert_dir;
|
||||
return 1;
|
||||
}
|
||||
int keys_added = 0;
|
||||
struct dirent* dp;
|
||||
while ((dp = readdir(dir.get())) != NULL) {
|
||||
if (dp->d_type != DT_REG) {
|
||||
continue;
|
||||
}
|
||||
std::string cert_path = cert_dir + "/" + dp->d_name;
|
||||
std::string cert_buf;
|
||||
if (!android::base::ReadFileToString(cert_path, &cert_buf, false /* follow_symlinks */)) {
|
||||
LOG(ERROR) << "Failed to read " << cert_path;
|
||||
continue;
|
||||
}
|
||||
|
||||
if (cert_buf.size() > kMaxCertSize) {
|
||||
LOG(ERROR) << "Certficate size too large: " << cert_path;
|
||||
continue;
|
||||
}
|
||||
|
||||
// Add key to keyring.
|
||||
int key_desc_index = keys_added;
|
||||
std::string key_desc = desc_prefix + std::to_string(key_desc_index);
|
||||
key_serial_t key =
|
||||
add_key(type.c_str(), key_desc.c_str(), &cert_buf[0], cert_buf.size(), keyring_id);
|
||||
if (key < 0) {
|
||||
PLOG(ERROR) << "Failed to add key to keyring: " << cert_path;
|
||||
continue;
|
||||
}
|
||||
LOG(INFO) << "Key " << cert_path << " added to " << keyring << " with key id 0x" << std::hex
|
||||
<< key;
|
||||
keys_added++;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int Unlink(key_serial_t key, const std::string& keyring) {
|
||||
key_serial_t keyring_id;
|
||||
if (!GetKeyringId(keyring, &keyring_id)) {
|
||||
|
|
|
|||
|
|
@ -18,11 +18,6 @@
|
|||
|
||||
#include <string>
|
||||
|
||||
// Add all files in a directory as certificates to a keyring. |keyring| could be the keyring
|
||||
// description or keyring id in hex.
|
||||
int AddCertsFromDir(const std::string& type, const std::string& desc_prefix,
|
||||
const std::string& cert_dir, const std::string& keyring);
|
||||
|
||||
// Add key to a keyring. Returns non-zero if error happens.
|
||||
int Add(const std::string& type, const std::string& desc, const std::string& data,
|
||||
const std::string& keyring);
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ LOCAL_MODULE := init.rc
|
|||
LOCAL_SRC_FILES := $(LOCAL_MODULE)
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
|
||||
LOCAL_REQUIRED_MODULES := fsverity_init
|
||||
|
||||
# The init symlink must be a post install command of a file that is to TARGET_ROOT_OUT.
|
||||
# Since init.rc is required for init and satisfies that requirement, we hijack it to create the symlink.
|
||||
|
|
@ -56,6 +57,15 @@ endif
|
|||
|
||||
endif
|
||||
|
||||
#######################################
|
||||
# fsverity_init
|
||||
|
||||
include $(CLEAR_VARS)
|
||||
LOCAL_MODULE:= fsverity_init
|
||||
LOCAL_MODULE_CLASS := EXECUTABLES
|
||||
LOCAL_SRC_FILES := fsverity_init.sh
|
||||
include $(BUILD_PREBUILT)
|
||||
|
||||
#######################################
|
||||
# init.environ.rc
|
||||
|
||||
|
|
|
|||
29
rootdir/fsverity_init.sh
Normal file
29
rootdir/fsverity_init.sh
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
#!/system/bin/sh
|
||||
#
|
||||
# Copyright (C) 2019 The Android Open Source Project
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# Enforce fsverity signature checking
|
||||
echo 1 > /proc/sys/fs/verity/require_signatures
|
||||
|
||||
# Load all keys
|
||||
for cert in /product/etc/security/fsverity/*.der; do
|
||||
/system/bin/mini-keyctl padd asymmetric fsv_product .fs-verity < "$cert" ||
|
||||
log -p e -t fsverity_init "Failed to load $cert"
|
||||
done
|
||||
|
||||
# Prevent future key links to .fs-verity keyring
|
||||
/system/bin/mini-keyctl restrict_keyring .fs-verity ||
|
||||
log -p e -t fsverity_init "Failed to restrict .fs-verity keyring"
|
||||
|
|
@ -420,12 +420,7 @@ on post-fs-data
|
|||
|
||||
# Load fsverity keys. This needs to happen before apexd, as post-install of
|
||||
# APEXes may rely on keys.
|
||||
exec -- /system/bin/mini-keyctl dadd asymmetric product_cert /product/etc/security/cacerts_fsverity .fs-verity
|
||||
exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
|
||||
# Prevent future key links to fsverity keyring
|
||||
exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
|
||||
# Enforce fsverity signature checking
|
||||
write /proc/sys/fs/verity/require_signatures 1
|
||||
exec -- /system/bin/fsverity_init
|
||||
|
||||
# Make sure that apexd is started in the default namespace
|
||||
enter_default_mount_ns
|
||||
|
|
|
|||
Loading…
Reference in a new issue